Correct multiple fallback providers

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Actions/action.FIN

@@ -1,33 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/action.FIN
-#
-# FIN Action
-#
-# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
-#
-# Complete documentation is available at http://shorewall.net
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of Version 2 of the GNU General Public License
-# as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# FIN[([<action>])]
-#
-# Default action is ACCEPT
-#
-###############################################################################
-
-DEFAULTS ACCEPT,-
-
-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH

Shorewall/Perl/Shorewall/Chains.pm

@@ -32,7 +32,6 @@ require Exporter;
 use Scalar::Util 'reftype';
 use Digest::SHA qw(sha1_hex);
 use File::Basename;
-use Socket;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
@@ -138,12 +137,6 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 
-				       validate_port
-				       validate_portpair
-				       validate_portpair1
-				       validate_port_list
-				       expand_port_range
-
 				       PREROUTING
 				       INPUT
 				       FORWARD
@@ -516,7 +509,6 @@ our $idiotcount1;
 our $hashlimitset;
 our $global_variables;
 our %address_variables;
-our %port_variables;
 our $ipset_rules;
 
 #
@@ -792,7 +784,6 @@ sub initialize( $$$ ) {
     %interfaceacasts    = ();
     %interfacegateways  = ();
     %address_variables  = ();
-    %port_variables     = ();
 
     $global_variables   = 0;
     $idiotcount         = 0;
@@ -828,196 +819,6 @@ sub initialize( $$$ ) {
     #
 }
 
-sub record_runtime_port( $ ) {
-    my ( $variable ) = @_;
-
-    if ( $variable =~ /^{([a-zA-Z_]\w*)}$/ ) {
-	fatal_error "Variable %variable is already used as an address variable" if $address_variables{$1};
-	$port_variables{$1} = 1;
-    } else {
-	fatal_error( "Invalid port variable (%$variable)" );
-    }
-
-    "\$$variable";
-}
-
-sub validate_port( $$ ) {
-    my ($proto, $port) = @_;
-
-    my $value;
-
-    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
-	$port = numeric_value $port;
-	return $port if defined $port && $port && $port <= 65535;
-    } elsif ( $port =~ /^%(.*)/ ) {
-	$value = record_runtime_port( $1 );
-    } else {
-	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
-	$value = getservbyname( $port, $proto );
-    }
-
-    return $value if defined $value;
-
-    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
-
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
-}
-
-sub validate_portpair( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-    my $pair = $portpair;
-    #
-    # Accept '-' as a port-range separator
-    #
-    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
-
-    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
-
-    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
-    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
-
-    my @ports = split /:/, $pair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-
-	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
-	    fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
-	}
-    } else {
-	$what = 'port';
-    }
-
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP     ||
-			       $protonum == UDP     ||
-			       $protonum == UDPLITE ||
-			       $protonum == SCTP    ||
-			       $protonum == DCCP );
-    join ':', @ports;
-
-}
-
-sub validate_portpair1( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
-
-    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
-
-    my @ports = split /-/, $portpair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-
-	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
-	    fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
-	}
-    } else {
-	$what = 'port';
-	fatal_error 'Invalid port number (0)' unless $portpair;
-    }
-
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP  ||
-			       $protonum == UDP  ||
-			       $protonum == SCTP ||
-			       $protonum == DCCP );
-    join '-', @ports;
-
-}
-
-sub validate_port_list( $$ ) {
-    my $result = '';
-    my ( $proto, $list ) = @_;
-    my @list   = split_list( $list, 'port' );
-
-    if ( @list > 1 && $list =~ /[:-]/ ) {
-	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
-    }
-
-    $proto = proto_name $proto;
-
-    for ( @list ) {
-	my $value = validate_portpair( $proto , $_ );
-	$result = $result ? join ',', $result, $value : $value;
-    }
-
-    $result;
-}
-
-#
-# Expands a port range into a minimal list of ( port, mask ) pairs.
-# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
-#
-# Example:
-#
-#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
-#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
-#
-sub expand_port_range( $$ ) {
-    my ( $proto, $range ) = @_;
-
-    if ( $range =~ /^(.*):(.*)$/ ) {
-	my ( $first, $last ) = ( $1, $2);
-	my @result;
-
-	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
-	#
-	# Supply missing first/last port number
-	#
-	$first = 0     if $first eq '';
-	$last  = 65535 if $last eq '';
-	#
-	# Validate the ports
-	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
-
-	$last++; #Increment last address for limit testing.
-	#
-	# Break the range into groups:
-	#
-	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
-	#      - Otherwise, find the largest power of two P that divides the first address such that
-	#        the remaining range has less than or equal to P ports. The next group is
-	#        ( <first> , ~( P-1 ) ).
-	#
-	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
-	    my $mask = 0xffff;         #Mask for current ports in group.
-	    my $y    = 2;              #Next power of two to test
-	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
-
-	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
-		$mask <<= 1;
-		$z  = $y;
-		$y <<= 1;
-	    }
-	    #
-	    #
-	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
-	    $first += $z;
-	}
-
-	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
-
-	@result;
-
-    } else {
-	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
-    }
-}
-
 #
 # Functions to manipulate cmdlevel
 #
@@ -5957,7 +5758,6 @@ sub record_runtime_address( $$;$$ ) {
 
     if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
 	fatal_error "Mixed required/optional usage of address variable $1" if ( $address_variables{$1} || $addrtype ) ne $addrtype;
-	fatal_error "Variable %variable is already used as a port variable" if $port_variables{$1};
 	$address_variables{$1} = $addrtype;
 	return '$' . "$1 ";
     }
@@ -7245,19 +7045,6 @@ sub verify_address_variables() {
 	      qq(    startup_error "Invalid value ($address) for address variable $variable"),
 	      qq(fi\n) );
     }
-
-    for my $variable( keys %port_variables ) {
-	my $port = "\$$variable";
-	my $type = $port_variables{$variable};
-
-	emit( qq(if [ -z "$port" ]; then) ,
-	      qq(    $variable=255) ,
-	      qq(elif qt \$g_tool -A INPUT -p 6 --dport $port; then) ,
-	      qq(    qt \$g_tool -D INPUT -p 6 --dport $variable) ,
-	      qq(else) ,
-	      qq(    startup_error "Invalid valid ($port) for port variable $variable") ,
-	      qq(fi\n) );
-    }
 }
 
 #

Shorewall/Perl/Shorewall/Config.pm

@@ -488,55 +488,53 @@ our %helpers_aliases;
 our %helpers_enabled;
 
 our %config_files = ( #accounting      => 1,
-		      actions	       => 1,
-		      blacklist	       => 1,
-		      clear	       => 1,
-		      conntrack	       => 1,
-		      ecn	       => 1,
-		      findgw	       => 1,
-		      hosts	       => 1,
-		      init	       => 1,
-		      initdone	       => 1,
+		      actions          => 1,
+		      blacklist        => 1,
+		      clear            => 1,
+		      conntrack        => 1,
+		      ecn              => 1,
+		      findgw           => 1,
+		      hosts            => 1,
+		      init             => 1,
+		      initdone         => 1,
 		      interfaces       => 1,
-		      isusable	       => 1,
-		      maclist	       => 1,
-		      mangle	       => 1,
-		      masq	       => 1,
-		      nat	       => 1,
-		      netmap	       => 1,
-		      params	       => 1,
-		      policy	       => 1,
-		      providers	       => 1,
-		      proxyarp	       => 1,
-		      refresh	       => 1,
-		      refreshed	       => 1,
-		      restored	       => 1,
-		      rawnat	       => 1,
+		      isusable         => 1,
+		      maclist          => 1,
+		      masq             => 1,
+		      nat              => 1,
+		      netmap           => 1,
+		      params           => 1,
+		      policy           => 1,
+		      providers        => 1,
+		      proxyarp         => 1,
+		      refresh          => 1,
+		      refreshed        => 1,
+		      restored         => 1,
+		      rawnat           => 1,
 		      route_rules      => 1,
-		      routes	       => 1,
+		      routes           => 1,
 		      routestopped     => 1,
-		      rtrules	       => 1,
-		      rules	       => 1,
-		      scfilter	       => 1,
-		      secmarks	       => 1,
-		      snat	       => 1,
-		      start	       => 1,
-		      started	       => 1,
-		      stop	       => 1,
-		      stopped	       => 1,
+		      rtrules          => 1,
+		      rules            => 1,
+		      scfilter         => 1,
+		      secmarks         => 1,
+		      start            => 1,
+		      started          => 1,
+		      stop             => 1,
+		      stopped          => 1,
 		      stoppedrules     => 1,
-		      tcclasses	       => 1,
-		      tcclear	       => 1,
-		      tcdevices	       => 1,
-		      tcfilters	       => 1,
+		      tcclasses        => 1,
+		      tcclear          => 1,
+		      tcdevices        => 1,
+		      tcfilters        => 1,
 		      tcinterfaces     => 1,
-		      tcpri	       => 1,
-		      tcrules	       => 1,
-		      tos	       => 1,
-		      tunnels	       => 1,
-		      zones	       => 1 );
+		      tcpri            => 1,
+		      tcrules          => 1,
+		      tos              => 1,
+		      tunnels          => 1,
+		      zones            => 1 );
 #
-# Options that involve the AUDIT target
+# Options that involve the the AUDIT target
 #
 our @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
 #
@@ -1168,7 +1166,7 @@ sub initialize( $;$$) {
     #
     # Process the global shorewallrc file
     #
-    #   Note: The build script calls this function passing only the protocol family
+    #   Note: The build file executes this function passing only the protocol family
     #
     process_shorewallrc( $shorewallrc,
 			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
@@ -1219,9 +1217,10 @@ sub compiletime() {
 # Create 'currentlineinfo'
 #
 sub currentlineinfo() {
+    my $linenumber = $currentlinenumber || 1;
+
     if ( $currentfilename ) {
-	my $linenumber = $currentlinenumber || 1;
-	my $lineinfo   = " $currentfilename ";
+	my $lineinfo = " $currentfilename ";
 	
 	if ( $linenumber eq 'EOF' ) {
 	    $lineinfo .= '(EOF)'

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -63,6 +63,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  validate_host
 		  validate_range
 		  ip_range_explicit
+		  expand_port_range
 		  allipv4
 		  allipv6
 		  allip
@@ -73,6 +74,10 @@ our @EXPORT = ( qw( ALLIPv4
 		  resolve_proto
 		  resolve_dnsname
 		  proto_name
+		  validate_port
+		  validate_portpair
+		  validate_portpair1
+		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
 		 ) );
@@ -406,6 +411,114 @@ sub proto_name( $ ) {
     $proto =~ /^(\d+)$/ ? $prototoname[ $proto ] || scalar getprotobynumber $proto : $proto
 }
 
+sub validate_port( $$ ) {
+    my ($proto, $port) = @_;
+
+    my $value;
+
+    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+	$port = numeric_value $port;
+	return $port if defined $port && $port && $port <= 65535;
+    } else {
+	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
+	$value = getservbyname( $port, $proto );
+    }
+
+    return $value if defined $value;
+
+    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+}
+
+sub validate_portpair( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
+
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
+
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
+
+    my @ports = split /:/, $pair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP     ||
+			       $protonum == UDP     ||
+			       $protonum == UDPLITE ||
+			       $protonum == SCTP    ||
+			       $protonum == DCCP );
+    join ':', @ports;
+
+}
+
+sub validate_portpair1( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
+
+    $portpair = "1$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+
+    my @ports = split /-/, $portpair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+	fatal_error 'Invalid port number (0)' unless $portpair;
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
+    join '-', @ports;
+
+}
+
+sub validate_port_list( $$ ) {
+    my $result = '';
+    my ( $proto, $list ) = @_;
+    my @list   = split_list( $list, 'port' );
+
+    if ( @list > 1 && $list =~ /[:-]/ ) {
+	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
+    }
+
+    $proto = proto_name $proto;
+
+    for ( @list ) {
+	my $value = validate_portpair( $proto , $_ );
+	$result = $result ? join ',', $result, $value : $value;
+    }
+
+    $result;
+}
+
 my %icmp_types = ( any                          => 'any',
 		   'echo-reply'                 => 0,
 		   'destination-unreachable'    => 3,
@@ -459,6 +572,67 @@ sub validate_icmp( $ ) {
     fatal_error "Invalid ICMP Type ($type)"
 }
 
+#
+# Expands a port range into a minimal list of ( port, mask ) pairs.
+# Each port and mask are expressed as 4 hex nibbles without a leading '0x'.
+#
+# Example:
+#
+#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
+#       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
+#
+sub expand_port_range( $$ ) {
+    my ( $proto, $range ) = @_;
+
+    if ( $range =~ /^(.*):(.*)$/ ) {
+	my ( $first, $last ) = ( $1, $2);
+	my @result;
+
+	fatal_error "Invalid port range ($range)" unless $first ne '' or $last ne '';
+	#
+	# Supply missing first/last port number
+	#
+	$first = 0     if $first eq '';
+	$last  = 65535 if $last eq '';
+	#
+	# Validate the ports
+	#
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+
+	$last++; #Increment last address for limit testing.
+	#
+	# Break the range into groups:
+	#
+	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
+	#      - Otherwise, find the largest power of two P that divides the first address such that
+	#        the remaining range has less than or equal to P ports. The next group is
+	#        ( <first> , ~( P-1 ) ).
+	#
+	while ( ( my $ports = ( $last - $first ) ) > 0 ) {
+	    my $mask = 0xffff;         #Mask for current ports in group.
+	    my $y    = 2;              #Next power of two to test
+	    my $z    = 1;              #Number of ports in current group (Previous value of $y).
+
+	    while ( ( ! ( $first % $y ) ) && ( $y <= $ports ) ) {
+		$mask <<= 1;
+		$z  = $y;
+		$y <<= 1;
+	    }
+	    #
+	    #
+	    push @result, sprintf( '%04x', $first ) , sprintf( '%04x' , $mask & 0xffff );
+	    $first += $z;
+	}
+
+	fatal_error "Invalid port range ($range)" unless @result; # first port > last port
+
+	@result;
+
+    } else {
+	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
+    }
+}
+
 sub valid_6address( $ ) {
     my $address = $_[0];
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -64,6 +64,8 @@ our @load_interfaces;
 
 our $balancing;
 our $fallback;
+our $balanced_providers;
+our $fallback_providers;
 our $metrics;
 our $first_default_route;
 our $first_fallback_route;
@@ -99,6 +101,8 @@ sub initialize( $ ) {
     %provider_interfaces    = ();
     @load_interfaces        = ();
     $balancing              = 0;
+    $balanced_providers     = 0;
+    $fallback_providers     = 0;
     $fallback               = 0;
     $metrics                = 0;
     $first_default_route    = 1;
@@ -323,7 +327,13 @@ sub balance_default_route( $$$$ ) {
     emit '';
 
     if ( $first_default_route ) {
-	if ( $gateway ) {
+	if ( $balanced_providers == 1 ) {
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+	    }
+	} elsif ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -347,7 +357,13 @@ sub balance_fallback_route( $$$$ ) {
     emit '';
 
     if ( $first_fallback_route ) {
-	if ( $gateway ) {
+	if ( $fallback_providers == 1 ) {
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+	    }
+	} elsif ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
 	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
@@ -593,7 +609,12 @@ sub process_a_provider( $ ) {
 	}
     }
 
-    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
+    if ( $balance ) {
+	fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $default;
+	$balanced_providers++;
+    } elsif ( $default ) {
+	$fallback_providers++;
+    }
 
     if ( $load ) {
 	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
@@ -1534,9 +1555,9 @@ sub finish_providers() {
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
 		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
-		    "        run_ip -6 route add default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
-		    "        run_ip -6 route replace default scope global table $table \$DEFAULT_ROUTE",
+		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
 		    '    fi',
 		    '' );
 	}

Shorewall/actions.std

@@ -32,7 +32,6 @@ DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED	#
-FIN	     inline,audit	# Handles ACK,FIN,PSH packets
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 GlusterFS    inline		# Handles GlusterFS
 IfEvent	     noinline		# Perform an action based on an event

Shorewall6/actions.std

@@ -28,7 +28,6 @@ DropDNSrep   inline		# Drops DNS replies
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
 Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
-FIN	     inline,audit	# Handles ACK,FIN,PSH packets
 forwardUPnP  noinline		# Allow traffic that upnpd has redirected from 'upnp' interfaces.
 IfEvent      noinline           # Perform an action based on an event
 Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state

docs/configuration_file_basics.xml

@@ -1903,39 +1903,6 @@ SSH(ACCEPT)    net:$MYIP      $FW
     the intefaces's run-time gateway variable are omitted.</para>
   </section>
 
-  <section id="Port_Variables">
-    <title>Port Variables</title>
-
-    <para>Beginning with Shorewall 5.1.5, <firstterm>Run-time Port
-    Variables</firstterm> are supported. These variables have the format
-    %{<replaceable>variable</replaceable>} and may appear any place that a
-    port number or service name may appear. Like their address-variable
-    counterparts above, Run-time Port Variables are most useful when
-    Shorewall[6]-lite is being used.</para>
-
-    <para>Example using both Run-time Address and Run-time Port
-    Variables:</para>
-
-    <para>/etc/shorewall/init:</para>
-
-    <programlisting>     SERVER_PORT=4126
-     SERVER_ADDRESS=192.0.44.12</programlisting>
-
-    <para>/etc/shorewall/rules:</para>
-
-    <programlisting>     ACCEPT         net            dmz:%{SERVER_ADDRESS}           tcp          %{SERVER_PORT}</programlisting>
-
-    <para>Rather than assigning a numerical literal to SERVER_PORT in the
-    <filename>init</filename> extension script as shown above, the variable
-    could be assigned a dynamic value based on a database lookup.</para>
-
-    <important>
-      <para>If no value is assigned to a Run-time Port Variable in the
-      <filename>init</filename> extension script, then the value 255 is
-      assumed.</para>
-    </important>
-  </section>
-
   <section id="ActionVariables">
     <title>Action Variables</title>
 

docs/three-interface.xml

@@ -20,8 +20,6 @@
     <copyright>
       <year>2002-2009</year>
 
-      <year>2016-2017</year>
-
       <holder>Thomas M. Eastep</holder>
     </copyright>
 

docs/two-interface.xml

@@ -17,8 +17,6 @@
     <copyright>
       <year>2002-2009</year>
 
-      <year>2016-2017</year>
-
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -170,7 +168,7 @@
             <programlisting>~# rpm -ql shorewall | fgrep two-interfaces
 /usr/share/doc/packages/shorewall/Samples/two-interfaces
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
-/usr/share/doc/packages/shorewall/Samples/two-interfaces/snat
+/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/zones